CN112351010B - Network security situation sensing system and method based on local area network - Google Patents
Network security situation sensing system and method based on local area network Download PDFInfo
- Publication number
- CN112351010B CN112351010B CN202011167000.2A CN202011167000A CN112351010B CN 112351010 B CN112351010 B CN 112351010B CN 202011167000 A CN202011167000 A CN 202011167000A CN 112351010 B CN112351010 B CN 112351010B
- Authority
- CN
- China
- Prior art keywords
- virus
- time
- attack
- value
- threat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- 241000700605 Viruses Species 0.000 claims abstract description 298
- 238000011156 evaluation Methods 0.000 claims abstract description 57
- 238000012544 monitoring process Methods 0.000 claims abstract description 57
- 238000004458 analytical method Methods 0.000 claims abstract description 34
- 238000007405 data analysis Methods 0.000 claims abstract description 21
- 238000012545 processing Methods 0.000 claims abstract description 19
- 230000008447 perception Effects 0.000 claims abstract description 9
- 101000878595 Arabidopsis thaliana Squalene synthase 1 Proteins 0.000 claims description 3
- 101000713575 Homo sapiens Tubulin beta-3 chain Proteins 0.000 claims description 3
- 102100036790 Tubulin beta-3 chain Human genes 0.000 claims description 3
- 230000004224 protection Effects 0.000 description 10
- 230000000694 effects Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Alarm Systems (AREA)
Abstract
The invention discloses a network security situation perception system and a method based on a local area network, which comprises a virus monitoring module, a data analysis module, a controller, a storage module, a data processing module, a CPU monitoring module, a network speed monitoring module, a security evaluation module and a display module; the data analysis module is used for receiving host information infected by the worm virus in a preset time period and analyzing the host information to obtain equipment threat table information and virus threat table information; when the data processing module receives the virus signals transmitted by the virus monitoring module, data analysis is carried out to obtain an attack value Pg; the CPU monitoring module is used for monitoring the real-time utilization rate of a CPU of the host equipment and carrying out steady-state analysis on the real-time utilization rate to obtain a steady-state value Ui; when the security evaluation module receives the attack value Pg, the security evaluation module automatically combines the steady state value Ui, the real-time utilization rate group Fa and the real-time network access speed to perform security analysis, so that the result is more accurate.
Description
Technical Field
The invention belongs to the field of network security, relates to a security perception technology, and particularly relates to a network security situation perception system and method based on a local area network.
Background
The patent with publication number CN105100013B discloses a method for sensing network security devices, a network security device and a controller, which solves the problem that the prior art cannot realize that the controller senses the network security devices. The method comprises the following steps: the network security equipment receives a Link Layer Discovery Protocol (LLDP) message; the network security device adds the device information of the network security device in the LLDP message and sends the LLDP message added with the device information of the network security device to the controller, so that the controller can sense the network security device through the device information of the network security device in the LLDP message.
However, for the sensing and monitoring of network security, the network security device is sensed only by the controller through the device information of the network security device in the LLDP message, and the comprehensive virus attack on the system, the CPU use mutation and the relevant virus attack condition are not comprehensively reflected objectively, so that the obtained result is not accurate enough, the high-risk host device cannot be intelligently identified, different security protection is implemented for different virus attacks, and effective help cannot be provided for the expansion and strengthening of the sensing system; in order to solve the above-mentioned drawbacks, a solution is now provided.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a network security situation perception system and a network security situation perception method based on a local area network. According to the method, host information infected by the worm virus in a preset time period is analyzed to obtain equipment threat table information and virus threat table information, and managers can clearly see the threat of each host equipment attacked by the virus and the threat of each virus through the equipment threat table information and the virus threat table information; the host equipment with high risk is intelligently identified according to the equipment threat value Qi and the virus threat value Ri, different safety protection is implemented aiming at different virus attacks, and the safety protection effect is effectively enhanced;
when the virus signal is monitored to be generated, recording host information infected by the virus at the moment and analyzing to obtain an attack value; the CPU monitoring module is used for monitoring the real-time utilization rate of a CPU of the host equipment and carrying out steady-state analysis on the real-time utilization rate to obtain a steady-state value; when the security evaluation module receives the attack value, the security evaluation module can automatically combine the steady state value, the real-time utilization rate group and the real-time network access speed to perform security analysis to obtain a security evaluation value, and the controller is used for performing grade evaluation on the security evaluation value to obtain an early warning signal, so that the result is more accurate, and management personnel can conveniently process the result.
The purpose of the invention can be realized by the following technical scheme: a network security situation perception system based on a local area network comprises a virus monitoring module, a data analysis module, a controller, a storage module, a data processing module, a CPU monitoring module, a network speed monitoring module, a security evaluation module and a display module;
the system comprises a virus monitoring module, a data analysis module and a device threat table analysis module, wherein the virus monitoring module is used for detecting a worm virus and acquiring host information infected by the worm virus in a preset time period;
the virus monitoring module is used for transmitting a virus signal to the data processing module when a virus is monitored; when the data processing module receives the virus signals transmitted by the virus monitoring module, data analysis is carried out to obtain an attack value Pg;
the data processing module is used for transmitting the attack value Pg to the security evaluation module;
the CPU monitoring module is used for monitoring the real-time utilization rate of a CPU of the host equipment and carrying out steady-state analysis on the real-time utilization rate to obtain a steady-state value Ui;
the CPU monitoring module is used for transmitting the steady state value Ui and the real-time utilization rate group Fa to the safety evaluation module; the network speed monitoring module is used for monitoring the real-time network access speed of the host equipment and transmitting the real-time network access speed to the security evaluation module;
when receiving the attack value Pg, the security evaluation module automatically combines the steady state value Ui, the real-time utilization rate group Fa and the real-time network access speed to perform security analysis to obtain a security evaluation value AC;
the safety evaluation module is used for transmitting the safety evaluation value AC to the controller, and the controller is used for carrying out grade evaluation on the safety evaluation value AC to obtain an early warning signal, and specifically comprises the following steps:
AA 1: when the AC is less than or equal to X2, the early warning signal is a light threat signal;
AA 2: when X2< AC < X3, the pre-warning signal is a moderate threat signal at this time;
AA 3: when the AC is larger than or equal to X3, the early warning signal is a severe threat signal; wherein X2 and X3 are preset values;
the controller is used for transmitting the security evaluation value AC to the display module for displaying, and correspondingly displaying words of 'light threat', 'moderate threat' and 'severe threat' when the light threat signal, the moderate threat signal and the severe threat signal are generated.
Further, the specific working steps of the data analysis module are as follows:
the method comprises the following steps: acquiring host information infected by the worm virus in a preset time period; the host information comprises a host equipment number, a virus name, a virus attack starting time and a virus attack finishing time; calculating the time difference between the virus attack ending time and the virus attack starting time in the host information to obtain the virus attack duration;
step two: accumulating the attacked times of the same host equipment number according to the host equipment number to form equipment attack frequency, and marking the equipment attack frequency as J1 i; wherein i represents the ith host device;
accumulating the virus attack duration of the same host equipment number according to the host equipment number to form total equipment attack duration, and marking the total equipment attack duration as J2 i; the equipment attack frequency J1i corresponds to the total equipment attack duration J2i one by one;
step three: setting each host equipment number to correspond to a preset value, matching the host equipment number with all the host equipment numbers to obtain corresponding equipment preset values, and marking the equipment preset values as Wi;
normalizing the equipment attack frequency, the equipment attack total time and the equipment preset value and taking the numerical values;
carrying out weight distribution on the equipment attack frequency, the equipment attack total time length and an equipment preset value, marking the weight of the equipment attack frequency as Z1, marking the weight of the equipment attack total time length as Z2, and marking the weight of the equipment preset value as Z3, wherein Z1, Z2 and Z3 are preset values, and Z1 is more than Z2 and more than Z3;
step four: respectively calculating a device threat value Qi of each host device by using a formula Gi ═ J1i xZ 1+ J2i xZ 2+ Wi xZ 3;
arranging host equipment in a descending order according to the equipment threat values Qi and making equipment threat table information;
step five: accumulating the attack times of the same virus name according to the virus name to form virus attack frequency, and marking the virus attack frequency as J3 m; wherein m represents the mth virus;
accumulating the virus attack durations of the same virus name according to the virus name to form a total virus attack duration, and marking the total virus attack duration as J4 m; the virus attack frequency J3m corresponds to the total virus attack duration J4m one by one;
step six: setting each virus to correspond to a preset value, matching the virus with all the viruses to obtain corresponding preset virus values, and marking the preset virus values as Bm;
normalizing the virus attack frequency, the total virus attack duration and the virus preset value and taking the numerical values;
carrying out weight distribution on the virus attack frequency, the total virus attack duration and a virus preset value, marking the weight of the virus attack frequency as C1, marking the weight of the total virus attack duration as C2, and marking the weight of the virus preset value as C3, wherein C1, C2 and C3 are preset values, and C1 is more than C2 and more than C3;
step seven: calculating a virus threat value Ri of each virus by using a formula Ri ═ J3m × C1+ J4m × C2+ Bm × C3;
arranging viruses in a descending order according to the virus threat value Ri and making virus threat table information;
the data analysis module is used for transmitting the equipment threat table information and the virus threat table information to the controller, and the controller receives the equipment threat table information and the virus threat table information transmitted by the data analysis module and transmits the equipment threat table information and the virus threat table information to the storage module for storage.
Further, the specific analysis process of the steady state analysis is as follows:
SS 1: marking the start time of virus attack as t time, and setting the real-time utilization rate of the CPU acquired at the t time as FtCollecting the real-time utilization rate of the CPU once every T1 time from the start time of the virus attack to the end time of the virus attack, and marking the real-time utilization rate of the CPU as Ft+xX is 1.., n; obtaining a real-time utilization rate group Fa;
SS 2: marking the end time of the virus attack as r time, and setting the real-time utilization rate of the CPU acquired at the r time as Fr;
SS 3: using formulas
Obtaining a real-time usage group Fa distance FtSteady deviation value GL 1;
using formulas
Obtaining a real-time usage group Fa distance FrSteady deviation value GL 2;
SS 4: the steady-state value Ui is obtained using the formula Ui — GL1 × D1+ GL2 × D2, where D1, D2 are preset coefficient factors and D1> D2.
Further, the specific steps of the security analysis are as follows:
DD 1: when receiving the attack value Pg, acquiring a real-time utilization rate group Fa at the moment;
DD 2: traversing the real-time utilization rate group Fa, and acquiring the maximum value of the real-time utilization rate as Fmax and the minimum value of the real-time utilization rate as Fmin;
calculating a difference value Fc between the maximum value of the real-time utilization rate and the minimum value of the real-time utilization rate, namely Fc ═ Fmax-Fmin;
DD 3: calculating the real-time utilization rate difference Gc before and after the virus attack, namely Gc is Fr-Ft;
Obtaining difference ratio Cb by using a formula Cb ═ Fc/Gc;
DD 4: acquiring the real-time network access speed when the attack value Pg is received, and marking the real-time network access speed as S1;
DD 5: normalizing the attack value Pg, the steady state value Ui, the difference ratio Cb and the real-time network access speed S1 and taking the values;
using formulas
Obtaining a security valuation AC; wherein d1, d2, d3 and d4 are all preset proportionality coefficients, and α is a compensation factor and takes a value of 0.56325.
Further, the data processing module comprises the following specific working steps:
s1: when the virus signal is monitored to be generated, recording host information infected by the virus at the moment;
s2: automatically acquiring a device threat value corresponding to the host device number from a storage module according to host information, marking the device threat value as Qc, and acquiring a virus threat value corresponding to a virus name, marking the virus threat value as Rc;
s3: acquiring the start time and the end time of the virus attack, and calculating the time difference between the start time and the end time of the virus attack to obtain the virus attack duration and marking the virus attack duration as Gi;
s4: using formulas
Calculating to obtain an attack value Pg; wherein a1, a1 and a3 are all preset coefficient factors.
A network security situation perception method based on a local area network comprises the following specific steps:
w1: detecting the worm virus of the host equipment, and acquiring host information infected by the worm virus in a preset time period;
w2: obtaining equipment threat table information and virus threat table information according to the host information obtained in the step W1;
w3: when a virus signal is monitored to be generated, recording host information infected by the virus at the moment, and analyzing to obtain an attack value Pg; the specific analysis steps are as follows:
w31: automatically acquiring corresponding device threat values from the device threat table information and the virus threat table information in the step W2 according to the host information, and marking the device threat values as Qc and the corresponding virus threat values as Rc;
w32: acquiring the start time and the end time of the virus attack, and calculating the time difference between the start time and the end time of the virus attack to obtain the virus attack duration and marking the virus attack duration as Gi;
w33: using formulas
Calculating to obtain an attack value Pg;
w4: monitoring the real-time utilization rate of a CPU of the host equipment, and performing steady-state analysis on the real-time utilization rate to obtain a steady-state value Ui;
w5: performing security analysis by combining the attack value Pg, the steady state value Ui, the real-time utilization rate group Fa and the real-time network access speed to obtain a security evaluation value AC;
w6: the method comprises the following steps of carrying out grade judgment on a safety evaluation value AC to obtain an early warning signal, specifically:
w61: when the AC is less than or equal to X2, the early warning signal is a light threat signal;
w62: when X2< AC < X3, the pre-warning signal is a moderate threat signal at this time;
w63: when AC is larger than or equal to X3, the early warning signal is a serious threat signal.
The invention has the beneficial effects that:
1. the method comprises the steps that host information infected by the worm virus in a preset time period is received through a data analysis module and analyzed to obtain equipment threat table information and virus threat table information; through the device threat table information and the virus threat table information, managers can clearly see the threat of each host device attacked by the virus and the threat of each virus; the host equipment with high risk is intelligently identified according to the equipment threat value Qi and the virus threat value Ri, different safety protection is implemented aiming at different virus attacks, and the safety protection effect is effectively enhanced;
2. the invention analyzes and judges the virus attack suffered by the data processing module to obtain an attack value Pg; then, monitoring and analyzing the real-time utilization rate of the CPU of the host equipment through a CPU monitoring module, and obtaining a steady state value Ui of the CPU; meanwhile, monitoring the real-time network access speed of the host equipment through a network speed monitoring module; and then, comprehensive analysis is carried out by combining the attack value Pg, the steady state value Ui and the real-time network access speed of the virus, so that a safety evaluation value AC is obtained, and grade evaluation is carried out on the safety evaluation value AC to obtain an early warning signal, so that the result is more accurate, and management personnel can conveniently process the early warning signal.
Drawings
In order to facilitate understanding for those skilled in the art, the present invention will be further described with reference to the accompanying drawings.
FIG. 1 is a block diagram of the system of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, a network security situation awareness system based on a local area network includes a virus monitoring module, a data analysis module, a controller, a storage module, a data processing module, a CPU monitoring module, a network speed monitoring module, a security evaluation module, and a display module;
the virus monitoring module is used for detecting the worm virus and acquiring host information infected by the worm virus in a preset time period, wherein the host information comprises a host equipment number, a virus name, a virus attack starting time and a virus attack finishing time; the data analysis module is used for receiving host information infected by the worm virus in a preset time period and analyzing the host information to obtain equipment threat table information and virus threat table information, and the data analysis module comprises the following specific working steps:
the method comprises the following steps: acquiring host information infected by the worm virus in a preset time period; calculating the time difference between the virus attack ending time and the virus attack starting time in the host information to obtain the virus attack duration;
step two: accumulating the attacked times of the same host equipment number according to the host equipment number to form equipment attack frequency, and marking the equipment attack frequency as J1 i; wherein i represents the ith host device;
accumulating the virus attack duration of the same host equipment number according to the host equipment number to form total equipment attack duration, and marking the total equipment attack duration as J2 i; the equipment attack frequency J1i corresponds to the total equipment attack duration J2i one by one;
step three: setting that each host equipment number corresponds to a preset value, matching the host equipment number with all the host equipment numbers to obtain corresponding equipment preset values, and marking the equipment preset values as Wi;
normalizing the equipment attack frequency, the equipment attack total time and the equipment preset value and taking the numerical values;
carrying out weight distribution on the equipment attack frequency, the equipment attack total time length and an equipment preset value, marking the weight of the equipment attack frequency as Z1, marking the weight of the equipment attack total time length as Z2, and marking the weight of the equipment preset value as Z3, wherein Z1, Z2 and Z3 are preset values, and Z1 is more than Z2 and more than Z3;
step four: respectively calculating a device threat value Qi of each host device by using a formula Gi ═ J1i xZ 1+ J2i xZ 2+ Wi xZ 3;
arranging host equipment in a descending order according to the equipment threat values Qi and making equipment threat table information;
step five: accumulating the attack times of the same virus name according to the virus name to form virus attack frequency, and marking the virus attack frequency as J3 m; wherein m represents the mth virus;
accumulating the virus attack durations of the same virus name according to the virus name to form a total virus attack duration, and marking the total virus attack duration as J4 m; the virus attack frequency J3m corresponds to the total virus attack duration J4m one by one;
step six: setting each virus to correspond to a preset value, matching the virus with all the viruses to obtain corresponding preset virus values, and marking the preset virus values as Bm;
normalizing the virus attack frequency, the total virus attack duration and the virus preset value and taking the numerical values;
carrying out weight distribution on the virus attack frequency, the total virus attack duration and a virus preset value, marking the weight of the virus attack frequency as C1, marking the weight of the total virus attack duration as C2, and marking the weight of the virus preset value as C3, wherein C1, C2 and C3 are preset values, and C1 is more than C2 and more than C3;
step seven: calculating a virus threat value Ri of each virus by using a formula Ri ═ J3m × C1+ J4m × C2+ Bm × C3;
arranging viruses in a descending order according to the virus threat value Ri and making virus threat table information;
the data analysis module is used for transmitting the equipment threat table information and the virus threat table information to the controller, and the controller receives the equipment threat table information and the virus threat table information transmitted by the data analysis module and transmits the equipment threat table information and the virus threat table information to the storage module for storage;
through the device threat table information and the virus threat table information, managers can clearly see the threat of each host device attacked by the virus and the threat of each virus; the host equipment with high risk is intelligently identified according to the equipment threat value Qi and the virus threat value Ri, different safety protection is implemented aiming at different virus attacks, and the safety protection effect is effectively enhanced;
the virus monitoring module is used for transmitting a virus signal to the data processing module when a virus is monitored; when the data processing module receives the virus signals transmitted by the virus monitoring module, data analysis is carried out to obtain an attack value Pg; the data processing module comprises the following specific working steps:
s1: when the virus signal is monitored to be generated, recording host information infected by the virus at the moment;
s2: automatically acquiring a device threat value corresponding to the host device number from a storage module according to host information, marking the device threat value as Qc, and acquiring a virus threat value corresponding to a virus name, marking the virus threat value as Rc;
s3: acquiring the start time and the end time of the virus attack, and calculating the time difference between the start time and the end time of the virus attack to obtain the virus attack duration and marking the virus attack duration as Gi;
s4: using formulas
Calculating to obtain an attack value Pg; wherein a1, a1 and a3 are all preset coefficient factors;
the data processing module is used for transmitting the attack value Pg to the security evaluation module;
the CPU monitoring module is used for monitoring the real-time utilization rate of a CPU of the host equipment and carrying out steady-state analysis on the real-time utilization rate to obtain a steady-state value Ui; the specific analytical procedure for the steady state analysis is as follows:
SS 1: marking the start time of virus attack as t time, and setting the real-time utilization rate of the CPU acquired at the t time as FtCollecting the real-time utilization rate of the CPU once every T1 time from the start time of the virus attack to the end time of the virus attack, and marking the real-time utilization rate of the CPU as Ft+xX is 1.., n; obtaining a real-time utilization rate group Fa;
SS 2: marking the end time of the virus attack as r time, and setting the real-time utilization rate of the CPU acquired at the r time as Fr(ii) a Wherein the time t + x is the time closest to the time r;
SS 3: using formulas
Obtaining a real-time usage group Fa distance FtSteady deviation value GL 1;
using formulas
Obtaining a real-time usage group Fa distance FrSteady deviation value GL 2;
SS 4: obtaining a steady-state value Ui by using a formula Ui of GL1 × D1+ GL2 × D2, wherein D1 and D2 are preset coefficient factors and D1> D2;
the CPU monitoring module is used for transmitting the steady state value Ui and the real-time utilization rate group Fa to the safety evaluation module; the network speed monitoring module is used for monitoring the real-time network access speed of the host equipment and transmitting the real-time network access speed to the security evaluation module;
when the security evaluation module receives the attack value Pg, the security evaluation module automatically combines the steady state value Ui, the real-time utilization rate group Fa and the real-time network access speed to perform security analysis, and the security analysis comprises the following specific steps:
DD 1: when receiving the attack value Pg, acquiring a real-time utilization rate group Fa at the moment;
DD 2: traversing the real-time utilization rate group Fa, and acquiring the maximum value of the real-time utilization rate as Fmax and the minimum value of the real-time utilization rate as Fmin;
calculating a difference value Fc between the maximum value of the real-time utilization rate and the minimum value of the real-time utilization rate, namely Fc ═ Fmax-Fmin;
DD 3: calculating the real-time utilization rate difference Gc before and after the virus attack, namely Gc is Fr-Ft;
Obtaining difference ratio Cb by using a formula Cb ═ Fc/Gc;
DD 4: acquiring the real-time network access speed when the attack value Pg is received, and marking the real-time network access speed as S1;
DD 5: normalizing the attack value Pg, the steady state value Ui, the difference ratio Cb and the real-time network access speed S1 and taking the values;
using formulas
Obtaining a safety evaluation value AC; d1, d2, d3 and d4 are all preset proportionality coefficients, and alpha is a compensation factor and takes the value 0.56325;
the safety evaluation module is used for transmitting the safety evaluation value AC to the controller, and the controller is used for carrying out grade evaluation on the safety evaluation value AC to obtain an early warning signal, and specifically comprises the following steps:
AA 1: when the AC is less than or equal to X2, the early warning signal is a light threat signal;
AA 2: when X2< AC < X3, the pre-warning signal is a moderate threat signal at this time;
AA 3: when the AC is larger than or equal to X3, the early warning signal is a severe threat signal; wherein X2 and X3 are preset values;
the controller is used for transmitting the security evaluation value AC to the display module for displaying, and correspondingly displaying words of 'light threat', 'moderate threat' and 'severe threat' when the light threat signal, the moderate threat signal and the severe threat signal are generated.
A network security situation perception method based on a local area network comprises the following specific steps:
w1: detecting the worm virus of the host equipment, and acquiring host information infected by the worm virus in a preset time period;
w2: obtaining equipment threat table information and virus threat table information according to the host information obtained in the step W1;
w3: when a virus signal is monitored to be generated, recording host information infected by the virus at the moment, and analyzing to obtain an attack value Pg; the specific analysis steps are as follows:
w31: automatically acquiring corresponding device threat values from the device threat table information and the virus threat table information in the step W2 according to the host information, and marking the device threat values as Qc and the corresponding virus threat values as Rc;
w32: acquiring the start time and the end time of the virus attack, and calculating the time difference between the start time and the end time of the virus attack to obtain the virus attack duration and marking the virus attack duration as Gi;
w33: using formulas
Calculating to obtain an attack value Pg;
w4: monitoring the real-time utilization rate of a CPU of the host equipment, and performing steady-state analysis on the real-time utilization rate to obtain a steady-state value Ui;
w5: performing security analysis by combining the attack value Pg, the steady state value Ui, the real-time utilization rate group Fa and the real-time network access speed to obtain a security evaluation value AC;
w6: the method comprises the following steps of carrying out grade judgment on a safety evaluation value AC to obtain an early warning signal, specifically:
w61: when the AC is less than or equal to X2, the early warning signal is a light threat signal;
w62: when X2< AC < X3, the pre-warning signal is a moderate threat signal at this time;
w63: when the AC is larger than or equal to X3, the early warning signal is a severe threat signal; wherein X2 and X3 are preset values.
When the system works, firstly, a virus monitoring module is used for detecting a worm virus and acquiring host information infected by the worm virus in a preset time period, and a data analysis module is used for receiving the host information infected by the worm virus in the preset time period and analyzing the host information to obtain equipment threat table information and virus threat table information; calculating the time difference between the virus attack ending time and the virus attack starting time in the host information to obtain the virus attack duration; accumulating the attacked times of the same host equipment number to form equipment attack frequency according to the host equipment number, accumulating the virus attack duration of the same host equipment number to form equipment attack total duration according to the host equipment number, setting a preset value corresponding to each host equipment number, matching the host equipment number with all the host equipment numbers to obtain corresponding equipment preset values, and respectively calculating an equipment threat value Qi of each host equipment by using a formula Gi of J1i xZ 1+ J2i xZ 2+ Wi xZ 3; arranging host equipment in a descending order according to the equipment threat values Qi and making equipment threat table information; accumulating the attack times of the same virus name according to the virus name to form virus attack frequency, accumulating the virus attack duration of the same virus name according to the virus name to form total virus attack duration, setting each virus to correspond to a preset value, matching the virus with all the viruses to obtain the corresponding virus preset values, and respectively calculating the virus threat value Ri of each virus by using a formula Ri of J3m × C1+ J4m × C2+ Bm × C3; arranging viruses in a descending order according to the virus threat value Ri and making virus threat table information; through the device threat table information and the virus threat table information, managers can clearly see the threat of each host device attacked by the virus and the threat of each virus; the host equipment with high risk is intelligently identified according to the sizes of the equipment threat value Qi and the virus threat value Ri, different safety protections are implemented aiming at different virus attacks, and the safety protection effect is effectively enhanced;
when a virus signal is monitored to be generated, recording host information infected by the virus at the moment, and analyzing to obtain an attack value Pg; automatically acquiring the device threat value corresponding to the host device number from the storage module according to the host information, marking the device threat value as Qc, acquiring the virus threat value corresponding to the virus name, marking the virus threat value as Rc, and utilizing a formula
Calculating to obtain an attack value Pg, wherein the CPU monitoring module is used for monitoring the real-time utilization rate of a CPU of the host equipment and performing steady-state analysis on the real-time utilization rate to obtain a steady-state value Ui; when the security evaluation module receives the attack value Pg, the security evaluation module automatically combines the steady state value Ui, the real-time utilization rate group Fa and the real-time network access speed to perform security analysis, and utilizes a formula
Obtaining a safety evaluation value AC, wherein the controller is used for carrying out grade judgment on the safety evaluation value AC to obtain an early warning signal; when a mild threat signal, a moderate threat signal and a severe threat signal are generated, words of 'mild threat', 'moderate threat' and 'severe threat' are correspondingly displayed on the display module respectively; the invention analyzes and judges the virus attack suffered by the data processing module to obtain an attack value Pg; then, monitoring and analyzing the real-time utilization rate of the CPU of the host equipment through a CPU monitoring module, and obtaining a steady state value Ui of the CPU; meanwhile, monitoring the real-time network access speed of the host equipment through a network speed monitoring module; then, the attack value Pg, the steady state value Ui and the real-time network access speed of the virus are combined for comprehensive analysis, so that the security is obtainedAnd the full-estimation value AC carries out grade judgment on the safety estimation value AC to obtain an early warning signal, so that the result is more accurate, and the management personnel can conveniently process the result.
The above formulas are all obtained by collecting a large amount of data to perform software simulation and performing parameter setting processing by corresponding experts, and the formulas are in accordance with real results.
The preferred embodiments of the invention disclosed above are intended to be illustrative only. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise forms disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention. The invention is limited only by the claims and their full scope and equivalents.
Claims (2)
1. A network security situation perception system based on a local area network is characterized by comprising a virus monitoring module, a data analysis module, a controller, a storage module, a data processing module, a CPU monitoring module, a network speed monitoring module, a security evaluation module and a display module;
the virus monitoring module is used for detecting the worm virus and acquiring host information infected by the worm virus in a preset time period; the data analysis module is used for receiving host information infected by the worm virus in a preset time period and analyzing the host information to obtain equipment threat table information and virus threat table information; the specific analysis steps are as follows:
the method comprises the following steps: acquiring host information infected by the worm virus in a preset time period; the host information comprises a host equipment number, a virus name, a virus attack starting time and a virus attack finishing time; calculating the time difference between the virus attack ending time and the virus attack starting time in the host information to obtain the virus attack duration;
step two: accumulating the attacked times of the same host equipment number according to the host equipment number to form equipment attack frequency, and marking the equipment attack frequency as J1 i; wherein i represents the ith host device;
accumulating the virus attack duration of the same host equipment number according to the host equipment number to form total equipment attack duration, and marking the total equipment attack duration as J2 i; the equipment attack frequency J1i corresponds to the total equipment attack duration J2i one by one;
step three: setting that each host equipment number corresponds to a preset value, matching the host equipment number with all the host equipment numbers to obtain corresponding equipment preset values, and marking the equipment preset values as Wi;
carrying out weight distribution on the equipment attack frequency, the equipment attack total time length and an equipment preset value, marking the weight of the equipment attack frequency as Z1, marking the weight of the equipment attack total time length as Z2, and marking the weight of the equipment preset value as Z3, wherein Z1, Z2 and Z3 are preset values, and Z1 is more than Z2 and more than Z3;
step four: respectively calculating a device threat value Qi of each host device by using a formula Qi = J1i xZ 1+ J2i xZ 2+ Wi xZ 3;
arranging host equipment in a descending order according to the equipment threat values Qi and making equipment threat table information;
step five: accumulating the attack times of the same virus name according to the virus name to form virus attack frequency, and marking the virus attack frequency as J3 m; wherein m represents the mth virus;
accumulating the virus attack durations of the same virus name according to the virus name to form a total virus attack duration J4 m; the virus attack frequency J3m corresponds to the total virus attack duration J4m one by one;
step six: setting each virus to correspond to a preset value, matching the virus with all the viruses to obtain corresponding preset virus values, and marking the preset virus values as Bm;
carrying out weight distribution on the virus attack frequency, the total virus attack duration and a virus preset value, marking the weight of the virus attack frequency as C1, marking the weight of the total virus attack duration as C2, and marking the weight of the virus preset value as C3, wherein C1, C2 and C3 are preset values, and C1 is more than C2 and more than C3;
step seven: calculating a virus threat value Ri of each virus by using a formula Ri = J3m × C1+ J4m × C2+ Bm × C3 respectively; arranging viruses in a descending order according to the virus threat value Ri and making virus threat table information;
the data analysis module is used for transmitting the equipment threat table information and the virus threat table information to the controller, and the controller receives the equipment threat table information and the virus threat table information transmitted by the data analysis module and transmits the equipment threat table information and the virus threat table information to the storage module for storage;
the virus monitoring module is used for transmitting a virus signal to the data processing module when a virus is monitored; the data processing module analyzes the virus signal transmitted by the virus monitoring module to obtain an attack value Pg when receiving the virus signal; the specific analysis steps are as follows:
s1: when the virus signal is monitored to be generated, recording host information infected by the virus at the moment;
s2: automatically acquiring a device threat value corresponding to the host device number from a storage module according to host information, marking the device threat value as Qc, and acquiring a virus threat value corresponding to a virus name, marking the virus threat value as Rc;
s3: acquiring the start time and the end time of the virus attack, and calculating the time difference between the start time and the end time of the virus attack to obtain the virus attack duration and marking the virus attack duration as Gi;
s4: using formulas
Calculating to obtain an attack value Pg; wherein a1, a1 and a3 are all preset coefficient factors; the data processing module is used for transmitting the attack value Pg to the security evaluation module;
the CPU monitoring module is used for monitoring the real-time utilization rate of a CPU of the host equipment and carrying out steady-state analysis on the real-time utilization rate to obtain a steady-state value Ui; the specific analysis process is as follows:
SS 1: marking the start time of virus attack as t time, and setting the real-time utilization rate of the CPU acquired at the t time as FtCollecting the real-time utilization rate of the CPU once every T1 time from the start time of virus attack to the end time of virus attack, and collecting the real-time utilization rate of the CPUUsage flag is Ft+xX is 1.., n; obtaining a real-time utilization rate group Fa;
SS 2: marking the end time of the virus attack as r time, and setting the real-time utilization rate of the CPU acquired at the r time as Fr;
SS 3: using formulas
Obtaining a real-time usage group Fa distance FtSteady deviation value GL 1; using formulas
Obtaining a real-time usage group Fa distance FrSteady deviation value GL 2;
SS 4: obtaining a steady state value Ui by using a formula Ui = GL1 × D1+ GL2 × D2, wherein D1 and D2 are preset coefficient factors and D1> D2;
the CPU monitoring module is used for transmitting the steady state value Ui and the real-time utilization rate group Fa to the safety evaluation module; the network speed monitoring module is used for monitoring the real-time network access speed of the host equipment and transmitting the real-time network access speed to the security evaluation module;
when the security evaluation module receives the attack value Pg, the security evaluation module automatically combines the steady state value Ui, the real-time utilization rate group Fa and the real-time network access speed to perform security analysis to obtain a security evaluation value AC; the specific analysis steps are as follows:
DD 1: when receiving the attack value Pg, acquiring a real-time utilization rate group Fa at the moment;
DD 2: traversing the real-time utilization rate group Fa, and acquiring the maximum value of the real-time utilization rate as Fmax and the minimum value of the real-time utilization rate as Fmin; calculating a difference value Fc between the maximum value of the real-time utilization rate and the minimum value of the real-time utilization rate, namely Fc = Fmax-Fmin;
DD 3: calculating the real-time utilization rate difference Gc before and after the virus attack, namely Gc = Fr-Ft ;
Obtaining difference ratio Cb by using a formula Cb = Fc/Gc;
DD 4: acquiring the real-time network access speed when the attack value Pg is received, and marking the real-time network access speed as S1;
DD 5: using a formula
Obtaining a safety evaluation value AC; d1, d2, d3 and d4 are all preset proportionality coefficients, and alpha is a compensation factor and takes the value 0.56325;
the safety evaluation module is used for transmitting the safety evaluation value AC to the controller, and the controller is used for carrying out grade evaluation on the safety evaluation value AC to obtain an early warning signal, and specifically comprises the following steps:
AA 1: when the AC is less than or equal to X2, the early warning signal is a light threat signal;
AA 2: when X2< AC < X3, the pre-warning signal is a moderate threat signal at this time;
AA 3: when the AC is larger than or equal to X3, the early warning signal is a severe threat signal; wherein X2 and X3 are preset values;
the controller is used for transmitting the security evaluation value AC to the display module for displaying, and correspondingly displaying words of 'light threat', 'moderate threat' and 'severe threat' when generating a light threat signal, a moderate threat signal and a severe threat signal.
2. A network security situation awareness method based on a local area network, applied to the network security situation awareness system based on the local area network as claimed in claim 1, the method is characterized by comprising the following specific steps:
w1: detecting the worm virus of the host equipment, and acquiring host information infected by the worm virus in a preset time period;
w2: obtaining equipment threat table information and virus threat table information according to the host information obtained in the step W1;
w3: when a virus signal is monitored to be generated, recording host information infected by the virus at the moment, and analyzing to obtain an attack value Pg; the specific analysis steps are as follows:
w31: automatically acquiring corresponding device threat values from the device threat table information and the virus threat table information in the step W2 according to the host information, and marking the device threat values as Qc and the corresponding virus threat values as Rc;
w32: acquiring the start time and the end time of the virus attack, and calculating the time difference between the start time and the end time of the virus attack to obtain the virus attack duration and marking the virus attack duration as Gi;
w33: using formulas
Calculating to obtain an attack value Pg; wherein a1, a1 and a3 are all preset coefficient factors;
w4: monitoring the real-time utilization rate of a CPU of the host equipment, and performing steady-state analysis on the real-time utilization rate to obtain a steady-state value Ui;
w5: performing security analysis by combining the attack value Pg, the steady state value Ui, the real-time utilization rate group Fa and the real-time network access speed to obtain a security evaluation value AC;
w6: the method comprises the following steps of carrying out grade judgment on a safety evaluation value AC to obtain an early warning signal, specifically:
w61: when the AC is less than or equal to X2, the early warning signal is a light threat signal;
w62: when X2< AC < X3, the pre-warning signal is a moderate threat signal at this time;
w63: when AC is larger than or equal to X3, the early warning signal is a serious threat signal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011167000.2A CN112351010B (en) | 2020-10-27 | 2020-10-27 | Network security situation sensing system and method based on local area network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011167000.2A CN112351010B (en) | 2020-10-27 | 2020-10-27 | Network security situation sensing system and method based on local area network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112351010A CN112351010A (en) | 2021-02-09 |
| CN112351010B true CN112351010B (en) | 2022-05-17 |
Family
ID=74359202
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011167000.2A Expired - Fee Related CN112351010B (en) | 2020-10-27 | 2020-10-27 | Network security situation sensing system and method based on local area network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112351010B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113254978B (en) * | 2021-06-24 | 2021-09-21 | 国能大渡河大数据服务有限公司 | Data security management system based on machine learning |
| CN113507456B (en) * | 2021-06-25 | 2022-08-19 | 中标慧安信息技术股份有限公司 | Illegal attack monitoring method for Internet of things platform |
| CN116668194B (en) * | 2023-07-27 | 2023-10-10 | 北京弘明复兴信息技术有限公司 | Network security situation assessment system based on Internet centralized control platform |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107679768A (en) * | 2017-10-25 | 2018-02-09 | 中国南方电网有限责任公司 | A kind of Situation Awareness System and its construction method based on real-time data of power grid |
| CN109067596A (en) * | 2018-09-21 | 2018-12-21 | 南京南瑞继保电气有限公司 | A kind of substation network security postures cognitive method and system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180262525A1 (en) * | 2017-03-09 | 2018-09-13 | General Electric Company | Multi-modal, multi-disciplinary feature discovery to detect cyber threats in electric power grid |
| CN109302408B (en) * | 2018-10-31 | 2020-07-28 | 西安交通大学 | Network security situation assessment method |
| CN110716476B (en) * | 2019-11-08 | 2021-02-12 | 珠海市鸿瑞信息技术股份有限公司 | Industrial control system network security situation perception system based on artificial intelligence |
| CN111652496B (en) * | 2020-05-28 | 2023-09-05 | 中国能源建设集团广东省电力设计研究院有限公司 | Running risk assessment method and device based on network security situation awareness system |
-
2020
- 2020-10-27 CN CN202011167000.2A patent/CN112351010B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107679768A (en) * | 2017-10-25 | 2018-02-09 | 中国南方电网有限责任公司 | A kind of Situation Awareness System and its construction method based on real-time data of power grid |
| CN109067596A (en) * | 2018-09-21 | 2018-12-21 | 南京南瑞继保电气有限公司 | A kind of substation network security postures cognitive method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112351010A (en) | 2021-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112351010B (en) | Network security situation sensing system and method based on local area network | |
| CN110716476B (en) | Industrial control system network security situation perception system based on artificial intelligence | |
| CN105262210A (en) | System and method for analysis and early warning of substation network security | |
| CN109802973A (en) | Method and apparatus for detection flows | |
| CN116185757B (en) | Intelligent monitoring system for energy consumption of machine room | |
| CN204360199U (en) | Data acquisition and transmit system under network environment | |
| CN106241538A (en) | A kind of elevator energy consumption on-line monitoring system based on Internet of Things | |
| CN116127456A (en) | Virus intrusion detection system and method based on network security situation awareness | |
| CN115616341B (en) | Operation and maintenance monitoring system for remotely and automatically searching power cable line based on Internet of things | |
| CN107607342B (en) | Healthy energy efficiency detection method for air conditioner room equipment group | |
| CN117854228A (en) | Security protection equipment job site safety precaution system based on artificial intelligence | |
| CN113612625A (en) | Network fault positioning method and device | |
| CN116576957A (en) | Display method, device, equipment and storage medium of optical cable external-breakage early warning interface | |
| CN110031371B (en) | Environmental monitoring device that building engineering used | |
| CN116054416B (en) | Intelligent monitoring operation and maintenance management system based on Internet of things | |
| CN112307415A (en) | Online detection method for abnormal data values of digital education recording and broadcasting system | |
| WO2021118218A1 (en) | Virtual monitoring management method for devices through motion tracking of devices | |
| CN110830464A (en) | Network flow abnormity detection system | |
| CN207380871U (en) | A kind of fired power generating unit Realtime Alerts monitoring system based on system subdivision | |
| CN115774159A (en) | Fault detection system for power unit of high-voltage frequency converter | |
| CN115830757A (en) | Display equipment performance monitoring system and method based on big data | |
| CN205581632U (en) | A control management system for internal information of steam power plant | |
| Wang et al. | Design of the remote monitoring system for mine hoists | |
| Jianbo et al. | Design of Public Regional Emergency Communication System based on RS485. | |
| CN111313966B (en) | Centralized monitoring and early warning equipment based on optical fiber network maintenance |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20220517 |